diff --git a/README.md b/README.md index 40b453f2..abe07982 100644 --- a/README.md +++ b/README.md @@ -45,9 +45,16 @@ These features still need to be tested, but are technically baked into the chart - [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge - [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge - # Notes +* [Databases](#databases) +* [Federation](#federation) + * [Federation not Working](#federation-not-working) + * [Addiing Trusted Key Servers from an existing Secret](#addiing-trusted-key-servers-from-an-existing-secret) +* [Notes on using Matrix Sliding Sync](#notes-on-using-matrix-sliding-sync) +* [Notes on using MAS (Matrix Authentication Service)](#notes-on-using-mas-matrix-authentication-service) +* [About and Status](#about-and-status) + ## Databases You must select one of the following options: @@ -55,8 +62,62 @@ You must select one of the following options: - Use the [Bitnami PostgreSQL subchart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) (set `postgresql.enabled` to `true`) - Use your own external database, which can also be PostgreSQL. (set `externalDatabase.enabled` to `true`) -Note: you cannot enable both `externalDatabase` and `postgresql`. You must select _one_. +> [!NOTE] +> +> You cannot enable both `externalDatabase` and `postgresql`. You must select _one_. + + +## Federation + +### Federation not Working + +This can be broken for a number of reasons, and some of them are listed in the official [synapse docs](https://element-hq.github.io/synapse/latest/federate.html#setting-up-federation), but one that was persistent for the devs here was constantly getting a 401 when testing. + +I managed to finally get past that by adding the following to my values.yaml: + +```yaml +synapse: + ingress: + # replace matrix.mydomain.com with your actual matrix domain + nginx.ingress.kubernetes.io/configuration-snippet: | + location /.well-known/matrix/server { + return 200 '{"m.server": "matrix.mydomain.com:443"}'; + add_header Content-Type application/json; + } +``` + +> [!NOTE] +> +> By the way, you can test by going to `https://federationtester.matrix.org/api/report?server_name=matrix.mydomain.com` where `matrix.mydomain.com` is replaced by your synapse server. + +### Addiing Trusted Key Servers from an existing Secret +If you'd like to get your [`trusted_key_servers`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers) from an existing Kubernetes Secret, you can do so with an in-line yaml block. Here's an example values.yaml: + +```yaml +matrix: + security: + trustedKeyServersExistingSecret: "trusted-key-servers" + trustedKeyServersSecretKey: "trustedKeyServers" +``` + +Here's an example Kubernetes Secret using in-line YAML (NOTE the `trusted_key_servers`): + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: trusted-key-servers + namespace: matrix +type: Opaque +stringData: + # friend.com is the matrix server you'd like to federate with :) + trustedKeyServers: |- + trusted_key_servers: + - server_name: friend.com + verify_keys: + ed25519:auto: abcdefghijklmnopqrstuvwxyz1234567890 +``` ## Notes on using Matrix Sliding Sync diff --git a/charts/matrix/Chart.lock b/charts/matrix/Chart.lock index 4dd93b35..b8659601 100644 --- a/charts/matrix/Chart.lock +++ b/charts/matrix/Chart.lock @@ -4,12 +4,12 @@ dependencies: version: 15.1.4 - name: coturn repository: https://small-hack.github.io/coturn-chart - version: 6.2.0 + version: 6.2.1 - name: matrix-sliding-sync repository: https://small-hack.github.io/matrix-sliding-sync-chart version: 0.5.0 - name: matrix-authentication-service repository: https://small-hack.github.io/matrix-authentication-service-chart version: 0.8.1 -digest: sha256:eff383917708d0e81f115ba68241ba911a1979b22842ef3b63a4ea0b04b51995 -generated: "2024-06-09T11:07:51.017558786Z" +digest: sha256:627a619aca7ddebe1a6fa738bd9d62ef2cf65eae7fb2147cfc22271eee8c0e19 +generated: "2024-06-20T13:11:00.78981229+02:00" diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 534d4224..25b0ecc4 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -8,10 +8,10 @@ sources: type: application -version: 10.1.1 +version: 11.0.0 # renovate: image=matrixdotorg/synapse -appVersion: v1.108.0 +appVersion: v1.109.0 maintainers: - name: "jessebot" @@ -24,7 +24,7 @@ dependencies: condition: postgresql.enabled - name: coturn - version: 6.2.0 + version: 6.2.1 repository: https://small-hack.github.io/coturn-chart condition: coturn.enabled diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 25e3c179..f2a781b8 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -1,6 +1,6 @@ # matrix -![Version: 10.1.1](https://img.shields.io/badge/Version-10.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.108.0](https://img.shields.io/badge/AppVersion-v1.108.0-informational?style=flat-square) +![Version: 11.0.0](https://img.shields.io/badge/Version-11.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.109.0](https://img.shields.io/badge/AppVersion-v1.109.0-informational?style=flat-square) A Helm chart to deploy a Matrix homeserver stack on Kubernetes @@ -20,7 +20,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes | Repository | Name | Version | |------------|------|---------| -| https://small-hack.github.io/coturn-chart | coturn | 6.2.0 | +| https://small-hack.github.io/coturn-chart | coturn | 6.2.1 | | https://small-hack.github.io/matrix-authentication-service-chart | mas(matrix-authentication-service) | 0.8.1 | | https://small-hack.github.io/matrix-sliding-sync-chart | syncv3(matrix-sliding-sync) | 0.5.0 | | oci://registry-1.docker.io/bitnamicharts | postgresql | 15.1.4 | @@ -167,7 +167,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes | element.enabled | bool | `true` | Set to false to disable a deployment of Element. Users will still be able to connect via any other instances of Element e.g. https://app.element.io, Element Desktop, or any other Matrix clients | | element.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy to use for element image, set to Always if using latest tag | | element.image.repository | string | `"vectorim/element-web"` | registry and repository to use for element docker image | -| element.image.tag | string | `"v1.11.68"` | tag to use for element docker image | +| element.image.tag | string | `"v1.11.69"` | tag to use for element docker image | | element.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` | required for TLS certs issued by cert-manager | | element.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"proxy_intercept_errors off;\n"` | | | element.ingress.className | string | `"nginx"` | ingressClassName for the k8s ingress | @@ -405,7 +405,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes | matrix.experimental_features.msc3861.issuer | string | `"http://localhost:8080/"` | Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration | | matrix.extra_well_known_client_content | object | `{}` | extra sections for the your /.well-known/matrix/client which returns json used by clients to know where your matrix sliding sync server is | | matrix.federation.allowPublicRooms | bool | `true` | Allow members of other homeservers to fetch *public* rooms | -| matrix.federation.blacklist | list | `["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]` | IP addresses to blacklist federation requests to | +| matrix.federation.blacklist | list | `[]` | IP addresses to blacklist federation requests to example blacklist values: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' - '169.254.0.0/16' - '::1/128' - 'fe80::/64' - 'fc00::/7' | | matrix.federation.enabled | bool | `false` | Set to true to enable federation | | matrix.federation.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` | required for TLS certs issued by cert-manager | | matrix.federation.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"proxy_intercept_errors off;\n"` | required for the Nginx ingress provider. You can remove it if you use a different ingress provider | @@ -467,6 +467,9 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes | matrix.retentionPeriod | string | `"7d"` | How long to keep redacted events in unredacted form in the database | | matrix.search | bool | `true` | Set to false to disable message searching | | matrix.security.surpressKeyServerWarning | bool | `true` | | +| matrix.security.trustedKeyServers | list | `[]` | | +| matrix.security.trustedKeyServersExistingSecret | string | `""` | use an existing Kubernetes Secret for trusted server list instead of matrix.security.trustedKeyServers | +| matrix.security.trustedKeyServersSecretKey | string | `"trustedKeys"` | key in existing Kubernetes Secret for trusted server list | | matrix.serverName | string | `"example.com"` | Domain name of the server: This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains from this value as the server name set here will be the name of your homeserver in the fediverse, & will be the domain name at the end of every username | | matrix.telemetry | bool | `false` | Enable anonymous telemetry to matrix.org | | matrix.uploads | object | `{"maxPixels":"32M","maxSize":"10M"}` | Settings related to image and multimedia uploads | diff --git a/charts/matrix/charts/coturn-6.2.0.tgz b/charts/matrix/charts/coturn-6.2.0.tgz deleted file mode 100644 index f6cba627..00000000 Binary files a/charts/matrix/charts/coturn-6.2.0.tgz and /dev/null differ diff --git a/charts/matrix/charts/coturn-6.2.1.tgz b/charts/matrix/charts/coturn-6.2.1.tgz new file mode 100644 index 00000000..70b0a135 Binary files /dev/null and b/charts/matrix/charts/coturn-6.2.1.tgz differ diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 71158ff0..1fadb52a 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1307,6 +1307,7 @@ signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key" # #key_refresh_interval: 1d +{{- if and .Values.matrix.security.trustedKeyServers (not .Values.matrix.security.trustedKeyServersExistingSecret) }} # The trusted servers to download signing keys from. # # When we need to fetch a signing key, each server is tried in parallel. @@ -1321,32 +1322,6 @@ signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key" # 'trusted_key_servers' defaults to matrix.org, but using it will generate a # warning on start-up. To suppress this warning, set # 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -{{- if .Values.matrix.security.trustedKeyServers }} trusted_key_servers: {{- range .Values.matrix.security.trustedKeyServers }} - server_name: {{ .serverName }} @@ -1360,6 +1335,8 @@ trusted_key_servers: accept_keys_insecurely: {{ .acceptKeysInsecurely }} {{- end }} {{- end }} +{{- else }} +trusted_key_servers: [] {{- end }} # Uncomment the following to disable the warning that is emitted when the diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index c4d832a1..3c2fb557 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -277,11 +277,19 @@ spec: yq eval -i '.email.smtp_user = env(SMTP_USER)' /data/homeserver.yaml && \ yq eval -i '.email.smtp_pass = env(SMTP_PASS)' /data/homeserver.yaml && \ {{- end }} + {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }} + yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' /data/homeserver.yaml /key-servers/{{ .Values.matrix.security.trustedKeyServersSecretKey }} && \ + echo "Trusted key server merge finished." && \ + {{- end }} yq eval -i '.database.args.host = env(DATABASE_HOSTNAME)' /data/homeserver.yaml && \ yq eval -i '.database.args.database = env(DATABASE)' /data/homeserver.yaml && \ yq eval -i '.database.args.user = env(DATABASE_USERNAME)' /data/homeserver.yaml && \ yq eval -i '.database.args.password = env(DATABASE_PASSWORD)' /data/homeserver.yaml volumeMounts: + {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }} + - name: trusted-key-servers + mountPath: "/key-servers" + {{- end }} - name: synapse-initial-config mountPath: "/initial" - name: synapse-config @@ -436,6 +444,11 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: + {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }} + - name: trusted-key-servers + secret: + secretName: {{ .Values.matrix.security.trustedKeyServersExistingSecret }} + {{- end }} - name: synapse-initial-config configMap: name: {{ include "matrix.fullname" . }}-initial-synapse-config diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index ada03c7d..4dadfc28 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -82,16 +82,17 @@ matrix: whitelist: [] # -- IP addresses to blacklist federation requests to - blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' + # example blacklist values: + # - '127.0.0.0/8' + # - '10.0.0.0/8' + # - '172.16.0.0/12' + # - '192.168.0.0/16' + # - '100.64.0.0/10' + # - '169.254.0.0/16' + # - '::1/128' + # - 'fe80::/64' + # - 'fc00::/7' + blacklist: [] ingress: # -- enable ingress for federation @@ -348,6 +349,14 @@ matrix: # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # acceptKeysInsecurely: false # - serverName: my_other_trusted_server.example.com + trustedKeyServers: [] + + # -- use an existing Kubernetes Secret for trusted server list instead of + # matrix.security.trustedKeyServers + trustedKeyServersExistingSecret: "" + + # -- key in existing Kubernetes Secret for trusted server list + trustedKeyServersSecretKey: "trustedKeys" # -- Set to true to globally block access to the homeserver disabled: false @@ -1507,7 +1516,7 @@ element: # -- registry and repository to use for element docker image repository: "vectorim/element-web" # -- tag to use for element docker image - tag: v1.11.68 + tag: v1.11.69 # -- pullPolicy to use for element image, set to Always if using latest tag pullPolicy: IfNotPresent service: